Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco WS-C2950-24 IOS 12.1(14)EA1a

Reply
Thread Tools

Cisco WS-C2950-24 IOS 12.1(14)EA1a

 
 
Marc Tessier
Guest
Posts: n/a
 
      02-09-2004
Hi!

I've recently acquired one of the above mentioned Catalyst switches
for the office. I'm trying to lock down some physical interfaces
using Extended IP access-lists, but it doesn't seem like this switch
has the ip access-group command. I know i've used it before on
customer switches and the Cisco.com documentation mentions it for this
IOS Version, so I don't see why this switch would be crippled. This
is the output I get for the ip command in interface configuration mode
:

Marklar#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Marklar(config)#int f0/1
Marklar(config-if)#ip ?
Interface IP configuration subcommands:
address Set the IP address of an interface
igmp IGMP interface commands

This is the show version output :

Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(14)EA1a,
RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 02-Sep-03 03:33 by antonino
Image text-base: 0x80010000, data-base: 0x805C0000

ROM: Bootstrap program is CALHOUN boot loader

Marklar uptime is 22 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6q4l2-mz.121-14.EA1a.bin"

cisco WS-C2950-24 (RC32300) processor (revision M0) with 20710K bytes
of memory.
Processor board ID FOC0745Z0BP
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.


Anyone know why these commands don't show up ?
 
Reply With Quote
 
 
 
 
Brian V
Guest
Posts: n/a
 
      02-10-2004
Marc,

The 2950 is a layer 2 switch. You cannot do access lists in the ethernet
interfaces. With the ei version you can apply them to vlan interfaces...not
sure if that will only effect switch management tho.

-Brian
"Marc Tessier" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Hi!
>
> I've recently acquired one of the above mentioned Catalyst switches
> for the office. I'm trying to lock down some physical interfaces
> using Extended IP access-lists, but it doesn't seem like this switch
> has the ip access-group command. I know i've used it before on
> customer switches and the Cisco.com documentation mentions it for this
> IOS Version, so I don't see why this switch would be crippled. This
> is the output I get for the ip command in interface configuration mode
> :
>
> Marklar#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> Marklar(config)#int f0/1
> Marklar(config-if)#ip ?
> Interface IP configuration subcommands:
> address Set the IP address of an interface
> igmp IGMP interface commands
>
> This is the show version output :
>
> Cisco Internetwork Operating System Software
> IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(14)EA1a,
> RELEASE SOFTWARE (fc1)
> Copyright (c) 1986-2003 by cisco Systems, Inc.
> Compiled Tue 02-Sep-03 03:33 by antonino
> Image text-base: 0x80010000, data-base: 0x805C0000
>
> ROM: Bootstrap program is CALHOUN boot loader
>
> Marklar uptime is 22 minutes
> System returned to ROM by power-on
> System image file is "flash:/c2950-i6q4l2-mz.121-14.EA1a.bin"
>
> cisco WS-C2950-24 (RC32300) processor (revision M0) with 20710K bytes
> of memory.
> Processor board ID FOC0745Z0BP
> Last reset from system-reset
> Running Standard Image
> 24 FastEthernet/IEEE 802.3 interface(s)
>
> 32K bytes of flash-simulated non-volatile configuration memory.
>
>
> Anyone know why these commands don't show up ?



 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      02-10-2004
In article <x_WVb.12692$032.44869@attbi_s53>,
Brian V <(E-Mail Removed)> wrote:
:The 2950 is a layer 2 switch. You cannot do access lists in the ethernet
:interfaces. With the ei version you can apply them to vlan interfaces...not
:sure if that will only effect switch management tho.

http://www.cisco.com/en/US/products/...b7b.html#77762

access-list (IP extended)

This command is available on physical interfaces only if your switch is
running the enhanced software image (EI).

http://www.cisco.com/en/US/products/...0801cde58.html

"Configuring Network Security with ACLs"

You can create ACLs for physical interfaces or management
interfaces. A management interface is defined as a management VLAN
or any traffic that is going directly to the CPU, such as SNMP,
Telnet, or web traffic. You can create ACLs for management
interfaces with the standard software image (SI) or the enhanced
software image (EI) installed on your switch. However, you must
have the EI installed on your switch to apply ACLs to physical
interfaces.


In short: with SI you can only do the management interfaces.
With EI you can put access-lists on the ethernet ports.


However:

In an IP extended ACL (both named and numbered), a Layer 4
system-defined mask cannot precede a Layer 3 user-defined mask. For
example, a Layer 4 system-defined mask such as permit tcp any any
or deny udp any any cannot precede a Layer 3 user-defined mask such
as permit ip 10.1.1.1 any. If you configure this combination, the
ACL is not allowed on a Layer 2 interface. All other combinations
of system-defined and user-defined masks are allowed in security
ACLs. [...]


Only four user-defined masks can be defined for the entire system.
These can be used for either security or quality of service (QoS)
but cannot be shared by QoS and security. You can configure as many
ACLs as you require. However, a system error message appears if
ACLs with more than four different masks are applied to
interfaces. [...]


All ACEs in an ACL must have the same user-defined mask. However,
ACEs can have different rules that use the same mask. On a given
interface, only one type of user-defined mask is allowed, but you
can apply any number of system-defined masks
--
"WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)
 
Reply With Quote
 
Brian V
Guest
Posts: n/a
 
      02-10-2004
so I thought too...

Here's my 2950 running ei software:

Brian_2950#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Brian_2950(config)#access-list 101 permit ip any any
Brian_2950(config)#int f0/1
Brian_2950(config-if)#ip access-group 101 in
^
% Invalid input detected at '^' marker.

Brian_2950(config-if)#ip ?
Interface IP configuration subcommands:
address Set the IP address of an interface
igmp IGMP interface commands

Brian_2950(config-if)#int vlan 1
Brian_2950(config-if)#ip access-group 101 in
Brian_2950(config-if)#^Z
Brian_2950#

"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:c09i7h$44b$(E-Mail Removed)...
> In article <x_WVb.12692$032.44869@attbi_s53>,
> Brian V <(E-Mail Removed)> wrote:
> :The 2950 is a layer 2 switch. You cannot do access lists in the ethernet
> :interfaces. With the ei version you can apply them to vlan

interfaces...not
> :sure if that will only effect switch management tho.
>
>

http://www.cisco.com/en/US/products/...b7b.html#77762
>
> access-list (IP extended)
>
> This command is available on physical interfaces only if your switch is
> running the enhanced software image (EI).
>
>

http://www.cisco.com/en/US/products/...0801cde58.html
>
> "Configuring Network Security with ACLs"
>
> You can create ACLs for physical interfaces or management
> interfaces. A management interface is defined as a management VLAN
> or any traffic that is going directly to the CPU, such as SNMP,
> Telnet, or web traffic. You can create ACLs for management
> interfaces with the standard software image (SI) or the enhanced
> software image (EI) installed on your switch. However, you must
> have the EI installed on your switch to apply ACLs to physical
> interfaces.
>
>
> In short: with SI you can only do the management interfaces.
> With EI you can put access-lists on the ethernet ports.
>
>
> However:
>
> In an IP extended ACL (both named and numbered), a Layer 4
> system-defined mask cannot precede a Layer 3 user-defined mask. For
> example, a Layer 4 system-defined mask such as permit tcp any any
> or deny udp any any cannot precede a Layer 3 user-defined mask such
> as permit ip 10.1.1.1 any. If you configure this combination, the
> ACL is not allowed on a Layer 2 interface. All other combinations
> of system-defined and user-defined masks are allowed in security
> ACLs. [...]
>
>
> Only four user-defined masks can be defined for the entire system.
> These can be used for either security or quality of service (QoS)
> but cannot be shared by QoS and security. You can configure as many
> ACLs as you require. However, a system error message appears if
> ACLs with more than four different masks are applied to
> interfaces. [...]
>
>
> All ACEs in an ACL must have the same user-defined mask. However,
> ACEs can have different rules that use the same mask. On a given
> interface, only one type of user-defined mask is allowed, but you
> can apply any number of system-defined masks
> --
> "WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
> WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)



 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      02-10-2004
In article <9eZVb.266632$xy6.1375863@attbi_s02>,
Brian V <(E-Mail Removed)> wrote:
:so I thought too...

:Here's my 2950 running ei software:

:Brian_2950(config)#int f0/1
:Brian_2950(config-if)#ip access-group 101 in

I just noticed from your Subject line that you are running 12.1(14)EA1a .
I did not cross-check to see how far back ACLs on physical interfaces
are supported: I might have been giving information about 12.1(19).
--
Live it up, rip it up, why so lazy?
Give it out, dish it out, let's go crazy, yeah!
-- Supertramp (The USENET Song)
 
Reply With Quote
 
Marc Tessier
Guest
Posts: n/a
 
      02-10-2004
"Brian V" <(E-Mail Removed)> wrote in message news:<x_WVb.12692$032.44869@attbi_s53>...
> Marc,
>
> The 2950 is a layer 2 switch. You cannot do access lists in the ethernet
> interfaces. With the ei version you can apply them to vlan interfaces...not
> sure if that will only effect switch management tho.


Hi!

Thanks for the reply, I noticed just after posting that our customer
switches are running the EI. I hadn't noticed the paragraph about
applying access-lists to physical interface was only available on the
EI. Anyway, to answer the rest of the thread, the ip access-group
function is available since 12.1(6) on physical interfaces. It does
have some pretty severe limitations as far as access-lists goes (only
1 mask can be defined for an access list and has to be re-used for
every rule), but it still has its uses.

Also, applying access-lists to the vlan interfaces only affects
switch management, and not traffic actually switched through the
vlans. It's pretty much useless unless you want to make sure only 1
box can talk to the switch.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
instructions on how to perform an IOS upgrade on a Catalyst 6500 switch (IOS to IOS) Mike Rahl Cisco 1 05-30-2007 05:22 PM
IOS descriptions and IOS for the 3560 Harkin Cisco 1 10-13-2005 02:52 PM
Replace a non IOS 350 Cisco Aironet bridge with IOS Mr Corbett Cisco 5 08-19-2005 09:40 PM
"ip addr dhcp" is not available for my IOS release, who has latest IOS for 2514 and 2509? Ed Kideys, Tech-Train Cisco 3 04-30-2004 07:51 PM
IOS to IOS VPN Problem Evan Mann Cisco 0 02-11-2004 04:42 PM



Advertisments